Contents

Introduction

This document describes Layer 3 (L3) backup routing in a virtual port channel (vPC) setup. Cisco recommends that you use the peer-gateway exclude-vlan command when you use F1 modules on the peer-link.

Note: If the vPC peer link is configured on a Cisco Nexus 32-port 1/10 Gigabit Ethernet (F1-Series) module (N7K-F132XP-15), you must include the L3 backup routing VLAN in the VLAN list specified by the peer-gateway exclude-vlan command.

Prerequisites

Requirements

Components Used

The information in this document is based on these software and hardware versions:

Cisco Nexus 7000 Series Switch, Release 5.1(3) and later

Mixed chassis with M1 and F1 line cards

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

Network Diagram

The topology used in this document is:

The vPC peer-link is built on F1 modules. M1 modules are allocated to the VDC for proxy-routing functionality; the M1 modules terminate the L3 uplinks into the core layer. There are two Cisco Nexus 7000 switches:

n7k-agg1 (MAC 0000.0000.00001)

n7k-agg2 (MAC 0000.0000.00002)

Peer-Gateway Overview

Peer-gateway is a vPC feature that allows vPC peer devices to act as a gateway for traffic destined to the MAC address of their peers. In this example, a host in VLAN 10 (10.1.1.100) sends a frame northbound to the host 172.16.1.1. The gateway for the host in VLAN10 is n7k-agg1 (MAC 0000.0000.00001).

The destination MAC address for the frame is toward the n7k-agg1 MAC (0000.0000.0001). The Layer 2 (L2) switch connects to the Cisco Nexus 7000 switches through a vPC. As a result, this frame can hash toward n7k-agg1 or n7k-agg2. In this example, the port-channel load balancing algorithm hashes the frame on the link connected to n7k-agg2.

n7k-agg1 is configured in the same vPC domain as n7k-agg2, and peer-gateway is enabled. As a result, n7k-agg2 programs the MAC address for n7k-agg1 with the Gateway (G) flag in the MAC table for all switch virtual interfaces (SVIs) allowed across the peer-link - and vice versa.

vPC L3 Backup Routing with F1 and Peer-Gateway

vPC L3 backup routing refers to traffic routed between vPC peers over the peer-link. Assume the two L3 uplinks on n7k-agg2 (from the previous example) are now down. If there is a routing protocol such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP) that is running between the two Cisco Nexus 7000 switches on one of the vPC VLANs, n7k-agg2 has an alternate route across the peer-link.

The L3 next hop to the 172.16.1.1 destination is n7k-agg1 MAC 0000.0000.0001 on VLAN 99. Any VLAN allowed on the vPC peer-link is, by definition, a vPC-enabled VLAN. VLAN 99 is a vPC-enabled VLAN. Because peer-gateway is enabled, VLAN 99 is programmed with the Gateway flag. This traffic flow is tunneled in software between the two Cisco Nexus 7000 switches when F1 modules are used for the peer-link.

Use ethanalyzer in order to see this flow on the inband. Because ethanalyzer captures only traffic sent to the CPU for software processing, you do not see traffic that is successfully forwarded in hardware.

Traffic switched in software can experience delay and extreme packet loss due to control plane policing (CoPP) and hardware rate-limiters. Overall performance is slower for software forwarding than hardware forwarding.

In summary, because of the hardware implementation of proxy-forwarding on F1, traffic that meets these requirements will be tunneled in the software:

The L3 next hop for a vPC device is its vPC peer on a vPC-enabled VLAN.

The Gateway flag is set for the next hop MAC address.

F1 interfaces are used on the peer-link.

Peer-Gateway Exclude VLAN

Use the peer-gateway exclude-vlan vlan-number command in order to allow L3 backup routing to be performed in hardware with F1 modules on the peer-link. In this example, the two Cisco Nexus 7000 switches are running an OSPF Interior Gateway Protocol (IGP) on VLAN 99. Therefore, you should exclude peer-gateway only on VLAN 99 in order to allow this traffic flow to be forwarded in hardware.